WSO2IS passport-openidconnect, InternalOAuthError: failed to obtain access token

Question

I'm currently working on implementing passport-openidconnect authentication with WSO2IS 5.4.1. The issues seems to be arising when my application makes the back channel request to WSO2IS for an access token. Referencing protocol flow from here it seems my application is failing on steps 5/6? Application shell:

jonathan@wso2is-sandbox:~/Projects/Javascript/vifi-ui$ nodejs app.js 
Server Started on Port 3000
GET /dashboard
GET /favicon.ico
GET /oidconnect/login
GET /oidconnect/login/callback?code=2fdff378-4fe6-39ea-8dcd-347015c0e041&state=o8HKPWlxvlhCMMd4YqeC10fb&session_state=3b87e55e710e546583d135262778cba57448ff59e19fde24118b381ecba9dad2.67C2KJwqQ3bADsvrIQgveA
InternalOAuthError: failed to obtain access token
    at /home/jonathan/Projects/Javascript/vifi-ui/node_modules/passport-openidconnect/lib/strategy.js:93:38
    at /home/jonathan/Projects/Javascript/vifi-ui/node_modules/oauth/lib/oauth2.js:191:18
    at ClientRequest.<anonymous> (/home/jonathan/Projects/Javascript/vifi-ui/node_modules/oauth/lib/oauth2.js:162:5)
    at emitOne (events.js:77:13)
    at ClientRequest.emit (events.js:169:7)
    at TLSSocket.socketErrorListener (_http_client.js:258:9)
    at emitOne (events.js:77:13)
    at TLSSocket.emit (events.js:169:7)
    at emitErrorNT (net.js:1256:8)
    at nextTickCallbackWith2Args (node.js:441:9)

passport-openidconnect strategy and url calls based off this:

const express = require('express');
const router = express.Router();
const passport = require('passport');
const OIDconnectStrategy = require('passport-openidconnect').Strategy;

const oIDconnectStrategy = new OIDconnectStrategy({ 
    issuer: 'WSO2app',

    clientID: "fakeid",
    clientSecret: "fakesecret",
    authorizationURL: 'https://localhost:9443/oauth2/authorize',
    tokenURL: 'https://localhost:9443/oauth2/token',

    // login endpoints  
    callbackURL: 'http://localhost:3000/oidconnect/login/callback'
    },
    function(token, tokenSecret, profile, cb){          
        return cb(null, profile);
    });

passport.use(oIDconnectStrategy);

passport.serializeUser(function(user, done) {
    done(null, user);
});

passport.deserializeUser(function(obj, done) {
    done(null, obj);
});

router.get('/login',    
    passport.authenticate('openidconnect', {
        failureRedirect: '/dashboard'       
    })
);

router.get('/login/callback',
    passport.authenticate('openidconnect', {    
    failureRedirect: '/dashboard',
    failureFlash: true, 
    }),
    function(req, res){
        res.redirect('/wso2app');       
    }
);

module.exports = router;

WSO2IS shell with oauth DEBUG:

[2018-05-04 12:18:21,359] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Validate Client information request for client_id : iSUxUfktfR1OG4Cnwpt3kCHSxNca and callback_uri http://localhost:3000/oidconnect/login/callback
[2018-05-04 12:18:21,362] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Registered App found for the given Client Id : iSUxUfktfR1OG4Cnwpt3kCHSxNca ,App Name : WSO2app, Callback URL : http://localhost:3000/oidconnect/login/callback
[2018-05-04 12:18:30,860] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Authorization Request received for user : user1@carbon.super, Client ID : iSUxUfktfR1OG4Cnwpt3kCHSxNca, Authorization Response Type : code, Requested callback URI : http://localhost:3000/oidconnect/login/callback, Requested Scope : openid
[2018-05-04 12:18:30,868]  INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} -  The default OAuth token issuer will be used. No custom token generator is set.
[2018-05-04 12:18:30,869]  INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} -  The default Identity OAuth token issuer will be used. No custom token generator is set.
[2018-05-04 12:18:30,870] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} -  Successfully enabled AppInfoCache under OAuthCacheManager
[2018-05-04 12:18:30,872] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} -  Approved scope(s) : openid
[2018-05-04 12:18:30,872] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Added OAuthAuthzReqMessageContext to threadlocal
[2018-05-04 12:18:30,894] DEBUG {org.wso2.carbon.identity.oauth2.dao.AuthorizationCodeDAOImpl} -  Persisting authorization code for client: iSUxUfktfR1OG4Cnwpt3kCHSxNca user: user1@carbon.super
[2018-05-04 12:18:30,897] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil} -  Authorization Code info was added to the cache for client id : iSUxUfktfR1OG4Cnwpt3kCHSxNca
[2018-05-04 12:18:30,897] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.util.ResponseTypeHandlerUtil} -  Issued Authorization Code to user : user1@carbon.super, Using the redirect url : http://localhost:3000/oidconnect/login/callback, Scope : openid, validity period : 300000
[2018-05-04 12:18:30,897] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Cleared OAuthAuthzReqMessageContext

Service Provider:Inbound Auth Config: OAuth/OpenidConn Config

ANY help would be greatly appreciated. Is the user not authorized to request/receive token? Are config edits required for WSO2IS? Thanks

Answer 1

You are success fully recieving the authorization code. That means user is authorized properly. Seems like your second call is wrong. Once you gwt the authorization code via a GET call, in order to get the access token you need to call the token endpoint as the second call with the authorization code you recieved with the call back url and the client secret. This should be a POST.

You will get the access token to the call back url as the response. There must be an issue in your second request or you are not handling that properly.

You can follow the same [1] and check with a sso tracer how requests are behaving.

[1] https://docs.wso2.com/display/IS541/Authorization+Code+Grant